The Cisco 210-260 PDF, 210-260 VCE and 210-260 exam questions and answers at Lead2pass are written and prepared by Cisco affiliated trainers and lecturers with decades of experience in the IT field. This ensures that you are equipped with the latest and most current information to give you a better chance of passing the Cisco 210-260 exam.

QUESTION 142When an administrator initiates a device wipe command from the ISE, what is the immediate effect?

A. It requests the administrator to choose between erasing all device data or only managed corporate data.B. It requests the administrator to enter the device PIN or password before proceeding with the operationC. It immediately erases all data on the device.D. It notifies the device user and proceeds with the erase operation

Answer: A

QUESTION 143How does a device on a network using ISE receive its digital certificate during the new-device registration process?

A. ISE acts as a SCEP proxy to enable the device to receive a certificate from a central CA serverB. The device request a new certificate directly from a central CAC. ISE issues a pre-defined certificate from a local databaseD. ISE issues a certificate from its internal CA server.

A. the Cisco ASA is implicitly stateless because it blocks all traffic by default.B. They compare the 5-tuple of each incoming packets against configurable rules.C. They cannot track connections..D. They are designed to work most efficiently with stateless protocols such as HTTP or HTTPS..E. Cisco IOS cannot implement them because the platform is Stateful by nature

Answer: ACDExplanation:The last encrypted part is the Payload Data. The unencrypted parts are the Security Parameter Index and the Sequence Number.

QUESTION 147Which type of PVLAN port allows host in the same VLAN to communicate directly with the other?

A. promiscuous for hosts in the PVLANB. span for hosts in the PVLANC. Community for hosts in the PVLAND. isolated for hosts in the PVLAN

Answer: CExplanation:Hosts in the same PVLAN Community can communicate with one another.

QUESTION 148Refer to the exhibit while troubleshooting site-to-site VPN, you issued the show crypto isakamp sa command. What does the given output shows?

A. IKE Phase 1 main mode was created on 10.1.1.5, but it failed to negotiate with 10.10.10.2B. IKE Phase 1 main mode has successfully negotiate between 10.1.1.5 and10.10.10.2C. IKE Phase 1 aggressive mode was created on 10.1.1.5, but it failed to negotiate with 10.10.10.2D. IKE Phase 1 aggressive mode was create on 10.1.1.5, but it failed to negotiate with 10.10.10.2

Answer: AExplanation:The MM_NO_STATE state indicates that the phase 1 policy does not match on both sides, therefore main mode failed to negotiate. Aggressive mode is indicated by AG instead of MM.

QUESTION 149Refer to the exhibit while troubleshooting site-to-site VPN, you issued the show crypto isakamp sa command. What does the given output shows?

A. IPSec Phase 2 established between 10.10.10.2 and 10.1.1.5B. IPSec Phase 1 established between 10.10.10.2 and 10.1.1.5C. IPSec Phase 2 is down due to a QM_IDLE state.D. IPSec Phase 1 is down due to a QM_IDLE state.

Answer: BExplanation:An IDLE state is good and means that the connection and key exchange have taken place successfully. QM indicates that the device is ready for phase 2 (quick mode) and subsequent data transfer.

QUESTION 150Refer to the exhibit. You have configured R1 and R2 as shown, but the routers are unable to establish a site-to-site VPN tunnel. What action can you take to correct the problem?

A. Edit the crypto keys on R1 and R2 to match.B. Edit the crypto isakmp key command on each router with the address value of its own interfaceC. Edit the ISAKMP policy sequence numbers on R1 and R2 to match.D. set a valid value for the crypto key lifetime on each router.

Answer: AExplanation:The crypto keys don’t match here. I’ve inferred and assumed that the destination address at the end of the “Crypto isakmp key test12345 address 10.30.30.5” line is the IP address of R1. By extension, this would produce an MM_NO_STATE state if you ran the “show crypto isakmp sa” command, as it would never connect to begin phase 1.

QUESTION 151Refer to the exhibit. Which statement about the given configuration is true?

A. The timeout command causes the device to move to the next server after 20 seconds of TACACS inactivity.B. The single-connection command causes the device to process one TACACS request and then move to the next server.C. The single-connection command causes the device to establish one connection for all TACACS transactions.D. The router communicates with the NAS on the default port, TCP 1645

Answer: CExplanation:In order for TACACS+ servers to fail over, they must be configured in a TACACS server group, which these are not, which eliminates A and B. D is incorrect.

QUESTION 152Refer to the exhibit. What is the effect of the given command?

A. It configure the network to use a different transform set between peers.B. It merges authentication and encryption methods to protect traffic that matches an ACL.C. It configures encryption for MD5 HMAC.D. It configures authentications as AES 256.

Answer: BExplanation:Because a transform set defines a method to encrypt traffic: esp-aes-256 and a method to authenticate: esp-md5-hmac

QUESTION 153Refer to the exhibit. What are two effects of the given command? (Choose two.)

A. It configures authentication to use AES 256.B. It configures authentication to use MD5 HMAC.C. It configures authorization use AES 256.D. It configures encryption to use MD5 HMAC.E. It configures encryption to use AES 256.

Answer: BE

QUESTION 154What is a valid implicit permit rule for traffic that is traversing the ASA firewall?

A. Unicast IPv6 traffic from a higher security interface to a lower security interface is permitted in transparent mode onlyB. Only BPDUs from a higher security interface to a lower security interface are permitted in routed mode.C. ARPs in both directions are permitted in transparent mode onlyD. Unicast IPv4 traffic from a higher security interface to a lower security interface is permitted in routed mode onlyE. Only BPDUs from a higher security interface to a lower security interface are permitted in transparent mode.

Answer: CExplanation:IPv4 and IPv6 traffic is permitted in both routed and transparent mode from higher to lower security interfaces.

QUESTION 155You have been tasked with blocking user access to website that violate company policy, but the site use dynamic IP Addresses. What is the best practice URL filtering to solve the problem?

A. Enable URL filtering and create a blacklist to block the websites that violate company policy.B. Enable URL filtering and create a whitelist to allow only the websites the company policy allow users to access.C. Enable URL filtering and use URL categorization to allow only the websites the company policy allow users to accessD. Enable URL filtering and create a whitelist to block the websites that violate company policy.E. Enable URL filtering and use URL categorization to block the websites that violate company policy.

Answer: EExplanation:Categorization will catch a large number of related websites, regardless of the address or IP.

QUESTION 156What is the potential drawback to leaving VLAN 1 as the native VLAN?

A. Gratuitous ARPs might be able to conduct a man-in-the-middle attack.B. The CAM might be overloaded, effectively turning the switch into hub.C. VLAN 1 might be vulnerable to IP address spoofingD. It may be susceptible to a VLAN hopping attack

Answer: D

QUESTION 157Refer to the exhibit. Which line in this configuration prevents the HelpDesk user from modifying the interface configuration?

Answer: AExplanation:Because IPS inline gets the live traffic as it’s passing through the network and can take direct action on the traffic if it detects any malicious activity. The actions are drop, block, TCP reset, shun, alert, log, modify.

QUESTION 159In which three cases does the ASA firewall permit inbound HTTP GET requests during normal operations? (Choose three)

A. When matching ACL entries are configuredB. when matching NAT entries are configuredC. When the firewall requires strict HTTP inspectionD. When the firewall requires HTTP inspectionE. When the firewall receives a SYN-ACK packetF. When the firewall receives a SYN packet

Answer: ABE

QUESTION 160Which technology can be used to rate data fidelity and to provide an authenticated hash for data?